If this is your first visit, be sure to
check out the FAQ by clicking the
link above. You may have to register
before you can post: click the register link above to proceed. To start viewing messages,
select the forum that you want to visit from the selection below.

First reason, prevent SPF (Single Point of Failure) if this all-in-one box dies you'll be left with nothing.. It'll happen sooner or later..
Second reason, you can choose the best bang for your money per function..
Third, it's way more scalable.. You can replace parts like lego bricks..

NB I'd also never ever use ISA as a firewall. It's a good proxy but the firewall is based on the IP stack of windows So i'd use a dedicated hardware firewall like Cisco's PIX, Checkpoint FW/1 (on Nokia hardware) or a Netscreen..

Oliver's Law:
Experience is something you don't get until just after you need it.

I would suggest a Fortinet box. Maybe a Fortinet-60 depending on the size of those 4 sites and their bandwidth consumption. We use them regularly and they have pretty much every feature you could want .....all for a good price.

Some of the other models provide other/more features including wireless (eeeek!).

Its an easy box to manage as well... easy to set up and manage (great GUI).
For cost, easy of use, and total features... I don't think you can beat it.
I just saw a thread recently in SecurityFocus that asked the same question and
a large percentage of the responses hailed the Fortinet. I am pretty sure they
will send you out some demo boxes if you are interested to test.

As for the Single Point of Failure issue that Sir Dice raised, I have seen clients run two of these boxes parrallel for that very reason. The second box's config is simply mirrored from the first one's. This is a bit more practical (for small and medium sized companies) than it sounds due to their overall lower cost.

I agree with SirDice, if anything happens to your "all in one" solution everything stops. Probably not a good thing

Some things to look at would be combining some funtions like anti-vuirus and anti-spam. Two products I am familliar with are Brightmail (runs on Linux or Windows) and Tumbleweed (runs on Windows). Both products allow for redundancy so you can drastically minimize downtime.

For IDS/IPS I kinda like appliances (less admin hassle), I have used Tipping point which seems to work very well. (can also be set up for redundancy)

I think content filtering is a different animal and again needs it's own box. There are LOTS of options for that. The one I am familliar with is Websense. They have several different options for implimentation. The one I have implimented most is a PIX firewall pointing to Websense running on a Windows box. The PIX would be redundant but the Websense box is not as that funtion is far less critical and can be configured to bypass if a problem arises.

You will note a theme of redundancy here . If your Internet traffic (browsing, email, ftp, B2B, VPN) is critial to your company then you don't want that stuff to stop working because there is a problem with one of your security/protection functions.

I am not familliar with the Fortinet box that Eyecre8 is suggesting but if they can be set up for redundant boxes it might be interesting to look at.

Just my thoughts...

m2

Work... Some days it's just not worth chewing through the restraints...

I would go with the multiple box approach. Either by haveing one system duplicated or by having your services spread over two or more servers. what it depends on is how buissness critical are each of the different services and how much of a budget you have. I have some experiance with Tumbleweed and it worked ok for us. but we had centralised our services. All internet activity and mail came throught or main site and was then distributed to our other sites.

\"America is the only country that went from barbarism to decadence without civilization in between.\"
\"The reason we are so pleased to find other people\'s secrets is that it distracts public attention from our own.\"
Oscar Wilde(1854-1900)

thansk for your responses, very useful. Yes ideally a multi box approach would be great and preferred, however the "BOSS" wants all in one solution in his define wisdom.

So we are tryng our best to accomodate and research such an appliance. So far the astaro is looking like the kiddie, we did get some recommendations from a reseller offering fortinet but we coudlnt find any good review on it.

Astaro are looking like what we watn at the moment unless anyone has any thing further to add.

we are basically looking for the following (IDS/IPS,Anti spam, web content filter, etc) and be able to accomodate the following:

Can it sit inline with an ISA 2004 comfortable, we use ISA 2004 as our edge firewall?

Can you disable the firewall feature so we can continue to just use ISA 2004?

Does it comfortable handle drive by downloads?

Can any one of the features be disabled if not required?

Does it offer IDS as well as IPS?

Also does the IPS/IDS work in a routed environment or would we need one in each site?

We have 4 sites (subnetted) who all use the same edge firewall/gateway to the outside world

Our destiny is to endure all hardships that we encounter along the path to what we perceive to be true and worthwhile !

I see this thread is almost a month old so you may have made a purchase already, but you may want to check out SonicWall too. I've not used it for all of those purposes, but I believe that it will do everything you need. I don't know about "disabling" the firewall, but you certainly could open it wide up if nothing else.

You're right ChronoSec, a SonicWall will do all of these. Also, geepod, as SirDice recommended, I would not use the ISA as the perimeter firewall. Instead of disabling the firewall functionality, why not layer the ISA behind the SonicWall.

Use the Sonicwall as the perimeter firewall, and simply select the "Back Firewall" configuration on ISA 2004. This is fairly strait forward to do, and will provide your network with a nice little buffer zone between the two. Then you can use ISA where it really does good things, like web caching and egress filtering. I personally wouldn't use it as my only ingress filter...have been bitten more than once due to that.

Windows 9x:n. A collection of 32 bit extensions and a graphical shell for a 16 bit patch to an 8 bit operating system originally coded for a 4 bit microprocessor. Written by a 2 bit company that can\'t stand 1 bit of competition.

I'm not sure of your budget but those are the three devices that we looked at about 6 months ago. We wound up going with the Fortinets though since we already have a ton of them in our network. Sonicwall was a close runner up for us.

Cisco ASA = suck... at least in the beta stage they did. We had to have a dev engineer come out to set it up and we are almost a full "Powered By Cisco" site O_O We have three CISSE's on site and they couldn't get the thing working properly. Even the dev engineer had problems. If you are hell bent on Cisco though then you should at least check them out.

/we got 8 Fortinet 3000's for this project

Give a man a match and he will be warm for a while, light him on fire and he will be warm for the rest of his life.